Password Strength Enforcement

terrypacker commented 10 years ago

Failed Login Alarms
Enforce password strength

terrypacker commented 7 years ago

Closing this as password strength is enforced, and opening new issue #987

jazdw commented 7 years ago

Password strength is not enforced, the new UI has a client side restriction of minimum 8 characters but that is it. We should check the password strength in the user validation and provide a system setting to enable different password complexities.

Puckfist commented 6 years ago

What're we thinking, the regular boolean must contain numbers, capitals, symbols sort of thing + minimum length or let them put in their own regex to validate passwords against?

terrypacker commented 6 years ago

Alarm raised completed in #987

terrypacker commented 6 years ago

This looks like a good candidate for a library: https://github.com/vt-middleware/passay

I'm against the regex plan because it doesn't help with the dictionary of common words that would normally be rejected in passwords.

Puckfist commented 6 years ago

Figure out #907 at the same time?

jazdw commented 5 years ago

This was partially implemented in 53465f5187b655a02b22fbd09d81dd3d8882aebc

There is now a 8 character minimum password length and password expiration settings in system settings.

terrypacker commented 5 years ago

Also #907 is handled by the above referenced commit. We are using Passay's LengthRule of >=8 and <=255.

terrypacker commented 5 years ago

The plan is to create a system setting drop down to choose the most common password restriction configurations.

terrypacker commented 5 years ago

Use a setting for minimum length and a drop down that lets you select a minimum required character set - • Alphabet only • Alpha-numeric • Alpha-numeric-symbol • Require upper and lower case

jazdw commented 5 years ago

Actually may as well allow for them to set any number of characters for each character type, easy enough to do. Store settings as JSON perhaps-

{
  length: {
    min: 8,
    max: 64
  },
  characters: {
    upperCase: 1,
    lowerCase: 1,
    digit: 1,
    special: 1
  }
}

terrypacker commented 5 years ago

Another option is


{
  rules:[
      {type: 'UPPER_CASE'},
      {type: 'LENGTH', min: 8, max: 64},
      {type: 'LOWER_CASE},
      ...
   ]
}

resotek commented 5 years ago

Requiring passwords with digits or punctuation and mixed case has made them harder to remember, but not more secure than longer passwords. The classic case is made in XKCD: Password Strength. A minimum length requirement with a dictionary check would be much more secure; or let the administrator choose their own policy.

Perhaps something like this Nbvcxz - Password strength estimator could be used. It includes word lists and common dates with fuzzy matching. I have not vetted it, but it had a high search result rank. The password check should occur on new password entry and also on login, in the case where a new password policy was implemented. Otherwise existing users could continue using weak passwords. Retroactive enforcement may require a time stamp on the password policy and on each user, or always checking every login.

Login failures are already logged. They should also increment a counter and raise an alarm, and perhaps a cooling off timeout period to limit the password retry rate. By default, less than 3 seconds between passwords should be assumed to be a robot, and should not be allowed.

terrypacker commented 4 years ago

@resotek as of Mango 3.6 we have implemented rate limiting for authentication attempts, this is configured in the env properties.

terrypacker commented 4 years ago

The commit to fix up the validation 5168acdf30227070988662a928e3647d147550a3

jazdw commented 4 years ago

UI for password complexity system settings was added in infiniteautomation/ma-dashboards@e3518c021d61d79da0856512d5a18ce9f6c33965

terrypacker commented 4 years ago

@jazdw The validation messages are not working properly. There is nothing displayed on the form and the toast at the bottom only displays the 1st validation message. Here is the 422 response when multiple rules have been violated:

{
  "cause" : null,
  "result" : {
    "messages" : [ {
      "level" : "ERROR",
      "message" : "Password must contain 2 or more uppercase characters",
      "property" : "password"
    }, {
      "level" : "ERROR",
      "message" : "Password must contain 1 or more digit characters",
      "property" : "password"
    }, {
      "level" : "ERROR",
      "message" : "Password must contain 1 or more special characters",
      "property" : "password"
    }, {
      "level" : "ERROR",
      "message" : "You cannot use the same password twice in a row",
      "property" : "password"
    } ]
  },
  "mangoStatusCode" : 4002,
  "mangoStatusName" : "VALIDATION_FAILED",
  "localizedMessage" : "Validation failed"
}

jazdw commented 4 years ago

We never display more than one validation message at a time.

The message was not showing up under the input due to our change from v1 to v2 endpoint. The component was looking for the validation messages in the wrong property of the returned data.

jazdw commented 4 years ago

@terrypacker Happy to close this one now?

terrypacker commented 4 years ago

Yes

MangoAutomation / ma-core-public

Password Strength Enforcement #73